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Abstract. The synthesis problem asks to construct a reactive finite-state system from an ijj-regular 
specification. Initial specifications are often unrealizable, which means that there is no system that im- 
plements the specification. A common reason for unrealizability is that assumptions on the environment 
of the system are incomplete. We study the problem of correcting an unrealizable specification ip by 
computing an environment assumption tp such that the new specification ?/> — > <^ is realizable. Our aim 
is to construct an assumption tp that constrains only the environment and is as weak as possible. We 
present a two-step algorithm for computing assumptions. The algorithm operates on the game graph 
that is used to answer the realizability question. First, we compute a safety assumption that removes a 
minimal set of environment edges from the graph. Second, we compute a liveness assumption that puts 
fairness conditions on some of the remaining environment edges. We show that the problem of finding a 
minimal set of fair edges is computationally hard, and we use probabilistic games to compute a locally 
minimal fairness assumption. 

1 Introduction 

Model checking has become one of the most successful verification techniques in hardware and software 
design. Although the methods are automated, the success of a verification process highly depends on the 
quality of the specifications. Writing correct and complete specifications is a tideous task: it usually re- 
quires several iterations until a satisfactory specification is obtained. Specifications are often too weak (e.g., 
they may be vacuously satisfied [1, 13]); or too strong (e.g., they may allow too many environment be- 
haviors), resulting in spurious counterexamples. In this work we automatically strengthen the environment 
constraints within specifications whose assumptions about the environment behavior are so weak as to make 
it impossible for a system to satisfy the specification. 

Automatically deriving environment assumptions has been studied from several points of view. For 
instance, in circuit design one is interested in automatically constructing environment models that can be 
used in test-bench generation [20, 18]. In compositional verification, environment assumptions have been 
generated as the weakest input conditions under which a given software or hardware component satisfies a 
given specification [3, 6]. We follow a different path by leaving the design completely out of the picture and 
deriving environment assumptions from the specification alone. Given a specification, we aim to compute 
a least restrictive environment that allows for an implementation of the specification. 

The assumptions that we compute can assist the designer in different ways. They can be used as base- 
line necessary conditions in component-based model checking. They can be used in designing interfaces 
and generating test cases for components before the components themselves are implemented. They can 
provide insights into the given specification. And above all, in the process of automatically constructing an 
implementation for the given specification ("synthesis"), they can be used to correct the specification in a 
way that makes implementation possible. 

While specifications of closed systems can be implemented if they are satisfiable, specifications of open 
systems can be implemented if they are realizable — i.e., there is a system that satisfies the specification 



without constraining the inputs. The key idea of our approach is that given a specification, if it is not 
reahzable, cannot be complete and has to be weakened by introducing assumptions on the environment of 
the system. Formally, given an Li;-regular specification which is not realizable, we compute a condition 
ip such that the new specification tp ip is realizable. Our aim is to construct a condition tp that does not 
constrain the system and is as weak as possible. The notion that t/j must constrain only the environment can 
be captured by requiring that ^ itself is realizable for the environment — i.e., there exists an environment 
that satisfies ^ without constraining the outputs of the system (in general, in a closed loop around system 
and environment — or controller and plant — both ip and ip refer to inputs as well as outputs). 

The notion that ^ be as weak as possible is more difficult to capture. We will show that in certain 
situations, there is no unique weakest environment-realizable assumption ip, and in other situations, it is 
NP-hard to compute such an assumption. 

Example. During our efforts of formally specifying certain hardware designs [4,5], several unrealizable 
specifications were produced. One specification was particular difficult to analyze. Its structure can be 
simplified to the following example. Consider a reactive system with the signals req, cancel, and grant, 
where grant is the only output signal. The specification requires that (i) every request is eventually granted 
starting from the next time step, written in linear temporal logic as G(req ^ X F grant); and (ii) whenever 
the input cancel is received or grant is high, then grant has to stay low in the next time step, written 
G((cancel Vgrant) X ^grant). This specification is not realizable because the environment can force, 
by sending cancel all the time, that the grant signal has to stay low forever (Part (ii)). If grant has to 
stay low, then a request cannot be answered and Part (i) of the specification is violated. One assumption that 
clearly makes this specification realizable is ipi ~ G(-icancel). This assumption is undesirable because 
it completely forbids the environment to send cancel. A system synthesized with this assumption would 
simply ignore the signal cancel. Assumption -02 = G(F(-icancel)) and ip^ = G(req F(-icancel)) 
are more desirable but still not satisfactory: ip2 forces the environment to lower cancel infinitely often 
even when no requests are send and i/j^ is not strong enough to implement a system that in each step first 
produces an output and then reads the input: assume the system starts with output grant = in time step 0, 
then receives the input req = 1 and cancel = 0, now in time step 1, it can choose between (a) grant = 1, 
or (b) grant = 0. If it chooses to set grant to high by (a), then the environment can provide the same inputs 
once more (req = 1 and cancel = 0) and can set all subsequent inputs to req = and cancel = 1. Then 
the environment has satisfied tps because during the two requests in time step and 1 ceincel was kept low 
but the system cannot fulfill Part (i) of its specification without violating Part (ii) due to grant = 1 in time 
step 1 and cancel = 1 afterwards. On the other hand, if the system decides to choose to set grant = 
by (b), then the environment can choose to set the inputs to req = and cancel = 1 and the system 
again fails to fulfill Part (i) without violating (ii). The assumption -04 = G(req — > X F(-icancel)), which 
is a subset of ■03, is sufficient. However, there are infinitely many sufficient assumptions between 03 and 
04, e.g, 03 = (-icancel A X(03)) V 03. The assumption ijj^ = G(req XF(-icancel V grant)) is 
also weaker then 03 and still sufficient because the environment only needs to lower cancel eventually if a 
request has not been answered yet. Finally, let ^ = req ^ X F(-icancelVgrant), consider the assumption 
-06 = A (cancel V grant) A X grant), which is a sufficient assumption. It is desirable because it 

states that whenever a request is send the environment has to eventually lower cancel if it has not seen a 
grant, but as soon as the system violates its specification (Part (ii)) all restrictions on the environment are 
dropped. If we replace ^ in 06 with ^' = req F(-icancel V grant), we get again an assumption that 
is not sufficient for the specification to be realizable. This example shows that the notion of weakest and 
desirable are hard to capture. 



Contributions. The realizability problem (and synthesis problem) can be reduced to emptiness checking 
for tree automata, or equivalently, to solving turn-based two-player games on graphs. More specifically, an 
w-regular specification ip is realizable iff there exists a winning strategy in a certain parity game constructed 
from ip. If ip is not realizable, then we construct an environment assumption ij] such that ?/) — > is realizable, 
in two steps. First, we compute a safety assumption that removes a minimal set of environment edges from 
the graph graph. Second, we compute a liveness assumption that puts fairness conditions on some of the 
remaining environment edges of the game graph: if these edges can be chosen by the environment infinitely 
often, then they need to be chosen infinitely often. While the problem of finding a minimal set of fair edges 
is shown to be NP-hard, a local minimum can be found in polynomial time (in the size of the game graph) for 
Biichi and co-Biichi specifications, and in NP n coNP for parity specifications. The algorithm for checking 
the sufficiency of a set of fair edges is of independent theoretical interest, as it involves a novel reduction of 
deterministic parity games to probabilistic parity games. 

We show that the resulting conjunction of safety and hveness assumptions is sufficient to make the 
specification reahzable, and itself realizable by the environment. We also illustrate the algorithm on several 
examples, showing that it computes natural assumptions. 

Related works. There are some related works that consider games that are not winning, methods of re- 
stricting the environment, and constructing most general winning strategies in games. The work of [10] 
considers games that are not winning, and considers best-effort strategies in such games. However, relaxing 
the winning objective to make the game winning is not considered. In [7], a notion of non-zero-sum game is 
proposed, where the strategies of the environment are restricted according to a given objective, but the paper 
does not study how to obtain an environment objective that is sufficient to transform the game to a winning 
one. A minimal assumption on a player with an objective can be captured by the most general winning 
strategy for the objective. The result of [2] shows that such most general winning strategies exist only for 
safety games, and also presents an approach to compute a strategy, called a permissive strategy, that sub- 
sumes behavior of all memoryless winning strategies. Our approach is different, as it attempts to construct 
the minimal assumption for the environment that makes the game winning, and we derive assumptions from 
the specification alone. 

Outline. In Section 2, we introduce the necessary theoretical background for defining and computing envi- 
ronment assumptions. Section 3 discusses environment assumptions and why they are difficult to capture. 
In Section 4 and 5, we compute, respectively, safety and liveness assumptions, which are then combined in 
Section 6. 

2 Preliminaries 

Words, Languages, Safety, and Liveness. Given a finite alphabet U and an infinite word w G S'^, we use 
Wi to denote the (i + 1)*'' letter of w, and to denote the finite prefix of w of length i + 1. Note that the first 
letter of a word has index 0. Given a word w E S'^ , we write even(ii;) for the subsequence of w consisting 
of the even positions (Vi > : even(w)i = W2i)- Similarly, odd(w) denotes the subsequence of the odd 
positions. Given a set L C S'^ of infinite words, we define the set of finite prefixes by prefixes(L) = {u G 
S* I 3w G L, i > : u = ui'}. Given a set L C S* of finite words, we define the set of infinite limits 
by safety(L) ~ {w £ Z"" | Vi > : G L}. We consider languages of infinite words. A language 
L C Z"" is a safety language if L = safety(prefixes(i)). A language L C Z"" is a liveness language if 
prefixes(i) = S* . Every language L C Z"" can be presented as the intersection of the safety language 
safety(prefixes(L)) and the liveness language safety(prefixes(L))\L. 



Transducers. We model reactive systems as deterministic finite-state transducers. We fix a finite set P of 
atomic propositions, and a partition of P into a set O of output propositions and a set / of input propositions. 
We use the corresponding alphabets S = 2^, O = 2'^ , and Z = 2^. A Moore transducer with input 
alphabet I and output alphabet O is a tuple T = {Q,qi,S,K), where Q is a finite set of states, G Q is 
the initial state, 6: Q x 2 ^ Q is the transition function, and k is a state labeling function k: Q ^ O. A 
Mealy transducer is like a Moore transducer, except that k: Q x Z — > O is a transition labeling function. 
A Moore transducer describes a reactive system that reads words over the alphabet T and writes words 
over the alphabet O. The environment of the system, in turn, can be described by a Mealy transducer with 
input alphabet O and output alphabet X. We extend the definition of the transition function 5 to finite words 
w £ X* inductively by 6{q, w) = S{S{q, u)'™'"^), w^.^l) for \w\ > 0. Given an input word w G X^, the run 
of T over w is the infinite sequence tt G Q'^ of states such that ttq = qi, and tt^+i ~ 5{-Ki,Wi) for all i > 0. 
The run tt over lu generates the infinite word X{w) G defined by T{w)i = K(7r,;) U Wi for alH > in 
the case of Moore transducers; and T{w)i = K{TTi,Wi) U Wi for all i > in the Mealy case. The language 
of the transducer T is the set L{T) = {T{w) \ w E X'^} of infinite words generated by runs of T. 

Specifications and Realizability. A specification of a reactive system is an w-regular language L C 17". 
We use Linear Temporal Logic (LTL) formulae over the atomic proposition P, as well as tj-automata with 
transition labels from S, to define specifications. Given an LTL formula (resp. w-automaton) cf), we write 
L{(p) C for the set of infinite words that satisfy (resp. are accepted by) ip. A transducer T satisfies a 
specification L{ip), written T \= (p, if L{T) C L{ip). Given an LTL formula (resp. tj- automaton) (p, the 
realizability problem asks if there exists a transducer T with input alphabet X and output alphabet O such 
that T ^ iy9. The specification L{if) is Moore realizable if such a Moore transducer T exists, and Mealy 
realizable if such a Mealy transducer T exists. Note that for an LTL formula, the specification L{(f) is 
Mealy realizable iff L{if') is Moore realizable, where the LTL formula p' is obtained from Lp by replacing 
all occurrences of o G O by X o. The process of constructing a suitable transducer T is called synthesis. 
The synthesis problem can be solved by computing winning strategies in graph games. 

Grapli games. We consider two classes of turn-based games on graphs, namely, two-player probabilistic 
games and two-player deterministic games. The probabilistic games are not needed for synthesis, but we 
will use them for constructing environment assumptions. For a finite set A, a probability distribution on A 
is a function 5: A [0, 1] such that X^aeA '^('^) ^ ^- denote the set of probability distributions on A 
by T){A). Given a distribution 5 G 'X>{A), we write Supp((5) = {.t G A | 5{x) > 0} for the support of 6. A 
probabilistic game graph G = {{S,E), {Si, 82,8 p),S) consists of a finite directed graph {S, E), a partition 
(Si, ^2, Sp) of the set S of states, and a probabilistic transition function 5: Sp 'X>{S). The states in 5*1 
are player-1 states, where player 1 decides the successor state; the states in ^2 are player-2 states, where 
player 2 decides the successor state; and the states in Sp are probabilistic states, where the successor state is 
chosen according to the probabilistic transition function. We require that for all s G Sp and t G 5, we have 
(s, t) G -E iff S{s){t) > 0, and we often write S{s, t) for 5{s){t). For technical convenience we also require 
that every state has at least one outgoing edge. Given a subset E' C E of edges, we write Sourcc(i7') for 
the set {s G S I 3t G S : (s, t) G E'} of states that have an outgoing edge in E'. The deterministic game 
graphs are the special case of the probabilistic game graphs with Sp = 0, that is, a deterministic game 
graph G = {{S,E), {Si, S2)) consist of of a directed graph {S, E) together with the partition of the state 
space S into player-1 states Si and player-2 states S2. 

Plays and Strategies. An infinite path, or play, of the game graph G is an infinite sequence n = sqSiS2 ■ ■ ■ 
of states such that (s^, Sfc+i) G E for all fc > 0. We write 77 for the set of plays, and for a state s G S, 
we write TTs C TT for the set of plays that start from s. A strategy for player 1 is a function a: S* ■ Si ^ 
S that for all finite sequences of states ending in a player-1 state (the sequence represents a prefix of a 



play), chooses a successor state to extend the play. A strategy must prescribe only available moves, that is, 
a(r • s) G E{s) for all r G 5* and s G 5*1. The strategies for player 2 are defined analogously. Note that 
we have only pure (i.e., nonprobabilistic) strategies. We denote by A and B the set of strategies for player 1 
and player 2, respectively. A strategy a is memoryless if it does not depend on the history of the play but 
only on the current state. A memoryless player- 1 strategy can be represented as a function a: Si S, and 
a memoryless player-2 strategy is a function /?: S2 ^ S. We denote by A^' and B^^ the set of memoryless 
strategies for player 1 and player 2, respectively. 

Once a starting state s G and strategies a G A and jS £ B for the two players are fixed, the outcome of 
the game is a random walk nf''^ for which the probabilities of events are uniquely defined, where an event 
f C 77 is a measurable set of plays. Given strategies a for player 1 and (3 for player 2, a play tt = S0S1S2 . . . 
is feasible if for all k > 0, we have a{soSi . . .Sk) = Sfc+i if Sfe G Si, and /3(soSi . . . Sfe) = Sk+i if G 5*2. 
Given two strategies a £ A and /? G S, and a state s G S, we denote by Outcome(.s, a, (3) C 77s the set of 
feasible plays that start from s. Note that for deterministic game graphs, the set Outcomc(s, a, (3) contains a 
single play. For a state s E S and an event £ C 77, we write Pr" '' {£) for the probability that a play belongs 
to £ if the game starts from the state s and the two players follow the strategies a and f3, respectively. 

Objectives. An objective for a player is a set C 77 of winning plays. We consider ti;-regular sets 
of winning plays, which are measurable. For a play tt ~ sqSiS2 ■ ■ ., let Inf(7r) be the set {s G 5 | 
s ^ Sk for infinitely many A: > 0} of states that appear infinitely often in tt. 

1. Reachability and safety objectives. Given a set F C 5 of states, the reachability objective Reach(7^) 
requires that some state in F be visited, and dually, the safety objective Safe(F) requires that only 
states in 7^ be visited. Formally, the sets of winning plays are Rcach(F) = {soSiS2 . . . G 77 | E!fc > 
: Sfc G F} and Safc(F) = {soSiS2 . . . G 77 | V/c > : Sfc G 7^}. 

2. Biichi and co-Biichi objectives. Given a set F C 5* of states, the Buchi objective Buchi(F) requires 
that some state in F be visited infinitely often, and dually, the co-Biichi objective coBuchi(F) requires 
that only states in F be visited infinitely often. Thus, the sets of winning plays are Buchi(F) = {tt G 
n I Inf (tt) n F 7^ 0} and coBuclii(F) = {tt G | Inf (tt) C F}. 

3. Parity objectives. Given a function p: S ^ {0, 1, 2, . . . , d — 1} that maps every state to a priority, the 
parity objective Parity(j3) requires that of the states that are visited infinitely often, the least priority be 
even. Formally, the set of winning plays is Parity(p) = {tt G 77 | min{p(Inf (tt))} is even}. The dual, 
co-parity objective has the set coParity(p) = {tt G 77 | min{p(Inf (tt))} is odd} of winning plays. 

The parity objectives are closed under complementation: given a function p: S* ^ {0, 1, . . . , d—1], consider 
the function p + 1; S* ^ {1, 2, . . . , d} definedby p + l(s) = p{s) + 1 for all s G 5; then Parity(p + 1) = 
coParity(p). The Biichi and co-Biichi objectives are special cases of parity objectives with two priorities, 
namely, p: S ^ {0, 1} for Biichi objectives with F = p^^(O), andp: S — > {1, 2} for co-Biichi objectives 
with F ^ p^^{2). The reachability and safety objectives can be turned into Biichi and co-Biichi objectives, 
respectively, on slightly modified game graphs. 

Sure and Almost-Sure Winning. Given an objective a strategy a G .4 is sure winning for player 1 from 
a state s G 5 if for every strategy j3 E B for player 2, we have Outcome(s, a, f3) C <l>. The strategy a is 
almost-sure winning for player 1 from s for <!> if for every player-2 strategy [3, we have Pr"'^(<?) = 1. The 
sure and almost-sure winning strategies for player 2 are defined analogously. Given an objective the sure 
winning set {{!)) surei'^) for player 1 is the set of states from which player 1 has a sure winning strategy. 
Similarly, the almost-sure winning set ((!)) almost (^^) for player 1 is the set of states from which player 1 has 
an almost-sure winning strategy. The winning sets {{2}) sure {'I') and {{2}) almost i*!^) for player 2 are defined 
analogously. It follows from the definitions that for all probabilistic game graphs and all objectives <P, we 



have ((l})sure(^) ^ {{^))aimost{^)- In general the subset inclusion relation is strict. For deterministic games 
the notions of sure and almost-sure winning coincide [14], that is, for all deterministic game graphs and all 
objectives <P, we have {{!)) surei'l') = {{^)) almost i"^), and in such cases we often omit the subscript. Given an 
objective the cooperative winning set ((1, 2))sure{'l') is the set of states s for which there exist a player-1 
strategy a and a player-2 strategy f3 such that Outcome(s, a, (3) C <!>. 

Theorem 1 (Deterministic games [9]). For all deterministic game graphs and parity objectives <1>, the 
following assertions hold: (i) {{!)) surei'^) = S \ {{2))sure{n \ <P); (ii) memoryless sure winning strategies 
exist for both players from their sure winning sets; and (Hi) given a state s ^ S, whether s £ ((l))sure(^^) 
can be decided in NP H coNP. 

Theorem 2 (ProbabiUstic games [8]). Given a probabilistic game graph G = {{S, E), {Si, 5*2, 5p), 6) 
and a parity objective <P with d priorities, we can construct a deterministic game graph G = 
{{S, E), {Si, S2)) with S* C 5, and a parity objective <1> with d + 1 priorities such that (i) \S\ ~ 0(|>S'| ■ d) 
and \E\ ~ 0{\E \ ■ d); and(ii) the set {{!)) almost {^) in G is equal to the set {{l))surei^) HS' in G. Moreover, 
memoryless almost-sure winning strategies exists for both players from their almost-sure winning sets in G. 

Realizability Games. The realizability problem has the following game-theoretic formulation. 

Theorems (Reactive synthesis [16]). Given an LTL formula (resp. iv-automaton) ip, we can construct 
a deterministic game graph G, a state sj of G, and a parity objective <P such that L{ip) is realizable iff 

SI e {{l))sure{^)- 

The deterministic game graph G with parity objective Lp referred to in Theorem 3 is called a synthesis game 
for ip. Starting from an LTL formula ip, we construct the synthesis game by first building a nondeterministic 
Buchi automaton that accepts L{p) [19]. Then, following the algorithm of [15], we translate this automaton 
to a deterministic parity automaton that accepts L{p). By splitting every state of the parity automaton w.r.t. 
inputs / and outputs O, we obtain the synthesis game. Both steps involve an exponential blowup that is 
unavoidable: for LTL formulae p, the realizability problem is 2EXPTIME-complete [17]. 

Synthesis games, by relating paths in the game graph to the specification p, have the following special 
form. A synthesis game Q is a tuple (G, s/, A, <P), where G = {{S,E), {Si, 52)) is a deterministic bipartite 
game graph, in which player-1 and player-2 states strictly alternate (i.e., E C {Si x S2) U (6*2 x Si)), the 
initial state sj G 5*1 is a player-1 state, the labeling function X: S ^ OUT maps player-1 and player-2 
states to letters in X and O, respectively (i.e., A(s) G 2 for all s G Si, and A(s) € O for all s G S2), and 
^ is a parity objective. Furthermore, synthesis games are deterministic w.rt. input and output labels, that 
is, for all edges (s, s'), (s, s") G E, if A(s') = A(s"), then s' = s". Without loss of generality, we assume 
that synthesis games are complete w.r.t. input and output labels, that is, for all state s G 5i (5*2) and I G O 
{X, respectively), there exists an edge (s, s') G E such that A(s') = I. We define a function w: U ^ S'^ 
that maps each play to an infinite word such that Wi = X{'K2i+i) U A(7r2i+2) for all i > 0. Note that we 
ignore the label of the initial state. Given a synthesis game Q for a specification formula or automaton p, 
every Moore transducer T = (Q, qi, 5, k) that satisfies L{p}) represents a winning strategy a of player 1 
as follows; for all sequences t G {S1S2)* ■ Si, let w be the finite word such that Wi = A(ri+i) for all 
< i < |r|; then, if there exists an edge (t|^|, s') G E with A(s') = K{S{qj ,odd{w))), then q;(t) = s', 
and otherwise a{T) is arbitrary. Conversely, every memoryless winning strategy a of player 1 represents a 
Moore transducer T = {Q, qj, S, k) that satisfies L{p) as follows: Q = Si, qi = s/, K{q) = X{a{q)), and 
5{q, I) = s' if A(s') = / and {a{q), s') G E. 



3 Assumptions 



In this section, we discuss about environment assumptions in general, illustrating through several simple 
examples, and then identify conditions that every assumption has to satisfy. 

Given a specification ip that describes the desired behavior of an open system S, we search for assump- 
tions on the environment of S that are sufficient to ensure that S exists and satisfies ip. The assumptions we 
study are independent of the actual implementation. They are derived from the given specification and can 
be seen as part of a correct specification. We first define what it means for an assumption to be sufficient. 

Let (y5 be a specification. A language C is a sufficient environment assumption for ip if {T,^ \ ip)U(p 
is realizable. 

Example 1. Consider the specification p ~ out U in. There exists no system S with input in and output 
out such that S \^ p, because S cannot control the value of in and Lp is satisfied only if in eventually 
becomes true. We have to weaken the specification to make it realizable. A candidate ijj for the assumption 
is F in because it forces the environment to assert the signal in eventually, which allows the system to 
fulfill ip. Further candidates are false, which makes the specification trivially realizable, X in, which forces 
the environment to assert the signal in in the second step, F out, or F -lOut. The last two assumptions lead 
to new specifications of the following form ip' = ij; ^ (p = V- out ^ ip = G(-iout) V ip. The system can 
implement p}' independent of (p simply by keeping out low all the time. 

Example 1 shows that there are several assumptions that allow to implement the specification but not 
all of them are satisfactory. For example, the assumption false does not provide the desired information. 
Similarly, the assumption F out is not satisfactory, because it cannot be satisfied by any environment that 
controls in. Intuitively, assumptions that are false or that can be falsified by the system correspond to a 
new specification ?/; — > that can be satisfied vacuously [1, 13] by the system. In order to exclude those 
assumptions, we require that an assumption fulfills the following condition: 

(1) Realizable for the environment: The system cannot trivially falsify the assumption, so there exists an 
implementation of the environment that satisfies V'- Formally, is Mealy realizable-^. 

Note that Condition 1 induces that (p has to be satisfiable for ijj to exist. If ip is not satisfiable there exists 
only the trivially solution ijj = false. We assume from now on that ijj is satisfiable. Apart from Condition 1, 
we ask for a condition to compare or order different assumptions. We aim to restrict the environment "as 
little as possible". An obvious candidate for this order is language inclusion: 

(2) Maximum: An assumption ip is maximal if there exists no other sufficient assumption that includes ip. 
There is no language C E such that ip C ip' and (Z"" \ ?/>') \J (p is realizable. 

The following example shows that using language inclusion we cannot ask for a unique maximal as- 
sumption. 

Example 2. Consider the specification p = (out U ini) V (-lOut U in2), where ini and in2 are inputs 
and out is an output. Again, (p is not realizable. Consider the assumptions t/'i = F ini and ^/'2 = F in2. 
Both are sufficient because assuming ipi the system can keep the signal out constantly high and assuming 
■02 it can keep out constantly low. However, if we assume the disjunction ijj = ipi V ip2, the system does 
not know, which of the signals ini and in2 the environment is going to assert eventually. Since a unique 
maximal assumption has to subsume all other sufficient assumptions and t/j is not sufficient, it follows that 
there exists no unique maximal assumption that is sufficient. 

Note that we ask here for a Mealy transducer, since the system is a Moore transducer. 



Let us consider another example to illustrate the difficulties that arise when comparing environment 
assumptions w.rt. language inclusion. 

Example 3. Assume the specification ip ~ G(in Xout) A G(out — > (X-iout)) with input signal 
in and output signal out. The specification is not realizable because whenever in is set to true in two 
consecutive steps, the system cannot produce a value for out such that ip is satisfied. One natural assumption 
is ^ = G(in X-iin). Another assumption is il^' — -tf; y F(-iin A Xout), which is weaker than -;/' 
w.r.t. language inclusion and still realizable. Looking at the resulting system specification ip — 

(-0 V F(-iin A X out)) ip ^ ip ^ (G(-iin X -lOut) A (p), we see that ip' restricts the system instead 
of the environment. 

Intuitively, using language inclusion as ordering notion, results in maximal environment assumptions 
that allow only a single implementation for the system. We aim for an assumption that does not restrict 
the system if possible. One may argue that ip should talk only about input signals. Let us consider the 
specification of Example 3 once more. Another sufficient assumption is ijj" = (in — > X -lin) W(out A 
X out), which is weaker than ip. Intuitively, ip" requires that the environment guarantees (in X -lin) 
as long as the system did not make a mistake (by setting out to true in two consecutive steps), which 
clearly means the intuition of an environment assumption. The challenge is to find an assumption that (a) is 
sufficient, (b) does not restrict the system, and (c) gives the environment maximal freedom. 

Note that the assumptions ip and ip" are safety assumptions, while the assumptions in Example 2 are 
liveness assumptions. In general, every language can be split into a safety and a liveness component. We 
use this separation to provide a way to compute environment assumption that fulfills our criteria. 

We consider restriction on game graphs of synthesis games to find sufficient environment assumptions. 
More precisely, we propose to put restrictions on player-2 edges, because they correspond to decisions the 
environment can make. If the given specification is satisfiable, this choice of restrictions leads to assump- 
tions that fulfill the realizability for the environment. 

4 Safety Assumptions 

In this section, we define and compute an assumption that restricts the safety behavior of the environment. 
4.1 Non-restrictive Safety Assumption on Games 

Given a deterministic game graph G = {{S, E), {Si, S2)) and the winning objective for player I. A 
safety assumption on the set Es C E2 of edges requires that player 2 chooses only edges outside from Eg. 
A synthesis game Q = (G, si, A) with a safety assumption on Es defines an environment assumption ipE^, 
as the set of words w G S'^ such that there exists a play tt G with w ~ w{tt), where for all i > 0, we 
have (7ri,7ri+i) ^ Es. 

The set Es can be seen as a set of forbidden edges of player 2. A natural order on safety assump- 
tions is the number of edges in a safety assumption. We write Eg < Ej if |£'s| < \Es'\ holds. A safety 
assumption refers to the safety component of a winning objective, which can be formulated as = 
Safc(((l, 2))s„re(^))- Formally, the winning objective of player 1 is modified to AssumeSafe(iJs, ^) = 
{tt ~ S0S1S2 ... I either (i) there exists i > such that (s^, Si+i) G Eg, or (ii) tt G (Ps} denoting the set of 
all plays in which either one of the edges in Eg is chosen, or that satisfies the safety component of (p. 

Given a deterministic game graph G = {{S,E), {Si, S2)), a winning objective <P for player 1, and a 
safety assumption Eg, the safety assumption on Eg is safe-sufficient for state s G 5* and 'P if player 1 has a 
winning strategy from s for the objective AssumeSafe(i?s, ^). 



Fig. 1. Game with two equally small safe-sufficient as- Fig. 2. Synthesis game for G(in Xout) A G(out 
sumptions for si: Es — {(s3,Si)} and Es' — X-iout). 

{(S5,S7)}. 

Theorem 4. Let tp be a specification and let Q^p = (G, s/, A) be a synthesis game for Lp with the winning 
objective <P. An environment assumption tl^E^ defined by a safety assumption Eg on Q^p that is safe-sufficient 
for Si and is sufficient for tp' = safety(prefixes{L{(p))). Note that if ip is a safety language, then tpE, is 
sufficient for Lp. 

Proof. Since Eg is safe-sufficient for s/ and ^, player 1 has a memoryless winning strategy a for sj and 
AssumeSafe(£'s , We know from Theorem 3 that a corresponds to a transducer T. We need to show that 
the language of the transducer L(T) is a subset of the new specification (Z'W-'bJU safety (prefixes(i(iy9))). 
A run of T on a word w ^ X"^ corresponds to a winning play tt G AssumeSafe(£'s, ^) of Q^. A play 
tt' = sosi • • ■ S AssumeSafe(i?s, ^) either has an edges (si,Si+i) G Eg, then w{'k') ^ {S \ tpE^, or 
tt' e Safc(((l, 2))sure{^)), then we have that w(7r') £ safety(prefixes(L((/3))). □ 

In the following example, we show that there exist safety games such that for some state s there is no 
unique smallest assumption that is safe-sufficient for s. 

Example 4. Consider the game shown in Figure 1. Circles denote states of player 1, boxes denote states of 
player 2. The winning objective of player 1 is to stay in the set {si, S2, S3, 54, S5, sg} denoted by double 
lines. Player 1 has no winning strategy for si. There are two equally small safety assumptions that are safe- 
sufficient for si: Eg = {(.93, si)} and Es' — {(ss, sy)}- In both cases, player 1 has a winning strategy from 
state .si. 

If we consider a specification, where the corresponding synthesis game has this structure, neither of 
these assumptions is satisfactory. Figure 2 shows such a synthesis game for the specification G(in 
Xout) A G(out X-iQut) with input signal in and output signal out (cf. Example 3). Assuming the 
safety assumption Eg, the corrected specification would allow only the single implementation, where out is 
constantly keep low. The second assumption Ej leads to a corrected specification that additionally enforces 
G(-iin — » X -lOut). 

Besides safe-sufficient, we also ask for an assumption that does not restrict player 1 . This condition can 
be formulated as follows. Given a deterministic game graph G — {{S, E), {Si, S2)), a winning objective 
for player 1, and a safety assumption Eg. We call the safety assumption on Eg restrictive for state s G 
S and if there exist strategies a ^ A and /3 G S of player 1 and 2, respectively such that the play 
Outcome(s, a, j3) contains an edge from Es and is in (l>s- A non-restrictive safety assumption should allow 
any edge that does not lead to an immediate violation of the safety component of the winning objective of 
player 1 . 

Theorem 5. Given a deterministic game graph G ~ {{S, E), {Si, S2)), a winning objective ^ for player 1, 
and a state s G 5, if s G ((1, 2)) sure {^), then there exists a unique minimal safety assumption Es that is non- 
restrictive and safe-sufficient for state s and <P. Let s G {(1, 2))sure{'^) and let Eg be this unique minimal 



safety assumption for s and <P, then player 2 has winning strategy for s and the objective to avoid the edges 
in Eg. 

Applying this theorem to environment assumptions, we get the following theorem. 

Theorem 6. Let ip be a satisfiable specification and let Q^p — (G, s/, A) be a synthesis game for ip with 
winning objective then there exists a unique minimal safety assumption Eg that is non-restrictive and 
safe-sufficient for state s and <1> and the corresponding environment assumption ipE^ realizable for the 
environment. 

4.2 Computing Non-restrictive Safety Assumptions 

Given a deterministic game graph G and a winning objective we compute a non-restrictive safety assump- 
tion Es as follows: first, we compute the set ((1, 2))sure{'^)- Note that for this set the players cooperate. We 
can compute ((1, 2))sure{^) in polynomial time for all objectives we consider. In particular, if is a parity 
condition, ((1, 2))sure{^) can be computed by reduction to Biichi [12]. The safety assumption Eg is the set 
of all player-2 edges (s, t) e E2 such that s G ((1, 2))sure{^) and t ^ ((1, 2))sure{^)- 

Theorem 7. Consider a deterministic game graph G with a winning objective <l>. The safety assumption 
Eg = G £^2 I s e {(1,2)) sure i^) ondt ^ ((1,2)) sure i^)} is the Unique minimal Safety assumption 

that is non-restrictive and safe-sufficient for all states s G ((1, 2)) sure{'^)- The set Es can be computed in 
polynomial time for all parity objectives 

For the game show in Figure 1, we obtain the safety assumption Eg = {(^3, si), (5,5, sy)}. For 
the corresponding synthesis game in Figure 2, Es defines the environment assumption i/je^ — (-lin V 
-lOut) W((-iin V -lOut) A (in A X(-iout)) A (out A X(out))). This safety assumption meets our intu- 
ition of a minimal environment assumption, since it states that the environment has to ensure that either 
in or out is low as long as the system makes no obvious fault by either violating G(in — > Xout) or 

G(out — > X-iQUt). 

5 Liveness Assumptions 

5.1 Strongly Fair Assumptions on Games 

Given a deterministic game graph G = {{S,E), (Si, S2)) and the objective <P for player 1, a strongly 
fair assumption is a set Ei C E2 of edges requiring that player 2 plays in a way such that if a state 
s G Sourcc(£';) is visited infinitely often, then for alH G S' such that (s, t) G Ei, the edge (s, t) is chosen 
infinitely often. 

This notion is formalized by modifying the objective of player 1 as follows. Let AssumeFair(£';, = 
{tt = S0S1S2 • ■ • I either (i) 3{s, t) G Ei, such that = s for infinitely many fc's and sj = t for finitely 
many j's, or (ii) tt G denote the set of paths tt such that either (i) there is a state s G Sourcc(i?;) 
that appears infinitely often in tt and there is a (s, t) G Ei and t appears only finitely often in tt, or (ii) tt 
belongs to the objective <P. In other words, part (i) specifies that the strong fairness assumption on Ei is 
violated, and part (ii) specifies that is satisfied. The property that player 1 can ensure (p against player- 
2 strategies respecting the strongly fair assumption on edges is formalized by requiring that player 1 can 
satisfy Assumef air {Ei,'P) against all player-2 strategies. 



Given a deterministic game graph G = {{S, E), {Si, S2)) and the objective (p for player 1, a strongly 
fair assumption on Ei C E2 is sufficient for state s G S and <P, if player 1 has a winning strategy for s for 
the objective AssumeFair(i?;, Furthermore, given a deterministic game graph G = {{S, E), {Si, S2)) 
and the objective <P for player 1, a state s G 5 is live for player 1, if she has a winning strategy from s for 
the winning objective Safe(((l, 2)) sure {'I'))- 

Theorem 8. Given a deterministic game graph G = {{S, E), {Si, S2)) and a Reachability, Safety, or Bilchi 
objective (p. If s £ S is live for player 1, then there exists a strongly fair assumption Ei C E2 that is 
sufficient /or ifafe s e S" andfp. 

A synthesis game Q = (G, sj. A) with a strongly fair assumption on Ei defines an environment assump- 
tion ipEi as the set of words w £ U'^ such that there exists a play tt G Ugj with w = w{tt) and for all edges 
(s, t) £ El either there exists i > s.t. for all j > iwe have tt^ / s, or there exist infinitely many fc's such 
that TTk — s and Hk+i = t- Note that this definition and the structure of synthesis games ensure that ipEi is 
reaUzable. These definitions together with Theorem 3 and 8 lead to the following theorem. 

Theorem 9. Let ip be a specification and Q — {G, sj, X) a synthesis game for ip with winning objective 
(p. If a strongly fair assumption on Ei is sufficient for sj and <P, then the environment assumption ipE, is 
sufficient for ip and realizable for the environment. Furthermore, if <P is a Reachability, Safety, or BUchi 
objective and sj is live for player I, then if there exists some sufficient assumption "0 7^ 0, then there exists 
a strongly fair assumption that is sufficient. 

5.2 Computing Strongly Fair Assumptions 

We now focus on solution of deterministic player games with objectives AssumeFair(i?;, 4>), where ^ is a 
parity objective. Given a deterministic game graph G, an objective and a strongly fair assumption Ei on 
edges, we first observe that the objective AssumeFair(£'i, can be expressed as an implication: a strong 
fairness condition implies <1>. Hence given <P is a Buchi, coBiichi or a parity objective, the solution of games 
with objective AssumeFair(i?;, ^) can be reduced to deterministic player Rabin games. However, since 
deterministic Rabin games are NP-complete we would obtain NP solution (i.e., a NP upper bound), even 
for the case when is a Biichi or coBiichi objective. We now present an efficient reduction to probabilistic 
games and show that we can solve deterministic games with objectives AssumeFair(i?;, (?) in NP n coNP 
for parity objectives and if (P is Biichi or coBiichi objectives, then the solution is achieved in polynomial 
time. 

Reduction. Given a deterministic game graph G = {{S,E),{Si,S2)), a parity objective ^ with a 
parity function p, and a set Ei C E2 of player-2 edges we construct a probabilistic game G = 
{{S, E),{S'i,'S2,S^),S) as follows. 

1. State space. S = S U {'s \ s G Som-cc(i?;), E{s) \ Ei ^ 0}, i.e., along with states in S, there is a copy 
s of a state s in Somce{Ei) such that all out-going edges from s are not contained in Ei. 

2. State space partition. Si = 5*1; Sp ~ Sourcc(_E;); and S2 = S \ {Si U Sp). The player-1 states in G 
and G coincide; every state in Source(£';) is a probabilistic state and all other states are player-2 states. 

3. Edges and transition. We explain edges for the three different kind of states. 

(a) For s G Si we have E{s) — E{s), i.e., the set of edges from player-1 states in G and G coincide. 



(b) For s G 5*2 we have the following cases: (i) if s G 5*2 (i.e., the state is also a player-2 state in G, 
thus it is not in Sourcc(£';)), then E{s) = E{s), i.e, then the set of edges are same as in G; and 
(ii) else s = s' and s' £ Source(£'() and E{s') \Ei^%, and in this case E{s) = E{s') \ Ei. 

(c) For a state s e 5'p we have the following two sub-cases: (i) if E{s) C Ei, then E{s) = E{s) and 
the transition function chooses all states in E{s) uniformly at random; (ii) else E{s) = E{s) U {s|, 
and the transition function is uniform over its successors. 

Intuitively, the edges and transition function can be described as follows: all states s in Sourcc(i?/) 
are converted to probabilistic states, and from states in Sourcc(£';) all edges in Ei n E{s) are chosen 
uniformly at random and also the state 's which is copy of s is chosen from where player 2 has the 
choice of the edges from E{s) that are not contained in Ei. 

Given the parity function p, we construct the parity function p on 5* as follows: for all states s G S we have 
p{s) = p{s), and for a state s in S, let s be a copy of s, then p{s) = p{s). We refer to the above reduction 
as the edge assumption reduction and denote it by AssRed, i.e., {G,p) = AssRed(G', Ei,p). The following 
theorem states the connection about winning in G for the objective AssumeFair(i5i, Parity(p)) and winning 
almost-surely in G for Parity(p). The key argument for the proof is as follows. A memoryless almost-sure 
winning strategy a in G can be fixed in G, and it can be shown that the strategy in G is sure winning 
for the Rabin objective that can be derived from the objective AssumeFair(i?;, Parity(p)). Conversely, a 
memoryless sure winning strategy in G for the Rabin objective derived from AssumeFair(£'(, Parity(p)) 
can be fixed in G, and it can be shown that the strategy is almost-winning for Parity(p) in G. A key 
property useful in the proof is as follows: for a probability distribution fi over a finite set A that assigns 
positive probability to each element in A, if the probability distribution fj, is sampled infinitely many times, 
then every element in A appears infinitely often with probability 1 . 

Theorem 10. Let G be a deterministic game graph, with a parity objective ^ defined by a parity 
function p. Let Ei C E2 be a subset of player-2 edges, and let {G,p) = AssRed (G, Then 

((l))aimost(Parity(p)) r\ S = ((l)),.„„(AssumeFair(i;,, <?)). 

Theorem 10 presents a Unear-time reduction for AssumeFair(£'i, Parity(p)) to probabilistic games with 
parity objectives. Using the reduction of Theorem 2 and the results for deterministic parity games (Theo- 
rem 1 ) we obtain the following corollary. 

Corollary 1. Given a deterministic game graph G, an objective <1>, a set Ei of edges, and a state s, whether 
s G ((l))stire(AssumeFair(£'(, <P)) can be decided in quadratic time if<P is a Buchi or a coBiichi objective, 
and in NP fl coNP if(l> is a parity objective. 

Complexity of computing a minimal strongly fair assumptions. We now discuss the problem of finding 
a minimal set of edges on which a strong fair assumption is sufficient. Given a deterministic game graph 
G, a Buchi objective (p, a number fc G N, and a state s, we show that 3SAT can be reduced to the problem 
of deciding if there is a strongly fair assumption Ei with at most k edges {\Ei\ < k) that is sufficient for s 
and <1>. 

Given a CNF-formula /, we will construct a deterministic game graph G, give a Biichi objective <P, an 
initial state s, and a constant fc, such that / is satisfiable if and only if there exists a strongly fair assumption 
El of size at most k that is sufficient for s and <!>. In Figure 3 we show a sketch of how to construct G: 
for each variable Vi we build two player-2 states, one with the positive literal U and one with the negative 
literal U. Each state has an edge to a Biichi state B and to non-Biichi state B. Furthermore, for each variable 




Fig. 3. Idea of the NP-hardness proof. Fig. 4. Constructed environment as- Fig. 5. System con- 
sumption for the specification G(req —> structed with assumption 
F grant) A G(caiicel —f X -igrant). shown in Figure 4. 

we add a player- 1 state Vi that connects the two states li and li representing the literals. Similarly, for each 
clause Ci = li^ V V we have one player- 1 state Ci connected to the state representing the literals I,; ^ ,^^3 , 
and /i, . Let be the number of variables and c be the number of clauses in /, and let j = n + c. Starting 
from the initial state 1 1 we have grid of player-2 states with j columns and from 2 up to j lines depending 
on the column. A grid state is connected to its right and to its upper neighbor. Each grid states in the last 
column is connected either to a state Vi representing a variable or a clause state c^. The constructed game Q 
has 3n + c+ states and 6n + 2c+ {j + 1)^ edges. We set ^ = Buclii({i3}), s = 11, and k = n. 

Given a satisfying assignment / for /, we build a strongly fair assumption Ei that includes for each 
variable Vi an edge such that if I{vi) = true, then {li,B) S Ei, else {li,B) G Ei. {\Ei\ = n ^ k.) 
The memoryless strategy a that sets a{vi) to k if = true, otherwise to k, and a{ci) to the state 

representing the literal that is satisfied in q w.rt. /., is a winning strategy for player 1 for state 11 and the 
objective AssumeFair(i?; , ^). It follow that Ei is sufficient for 11 and <P. For the other direction, we observe 
that any assumption Ei of size smaller or equal to k that includes edges from grid states is not sufficient 
for state 11 and <P. Assume that there is some grid edge (s, t) in Ei. Since \Ei\ < k there is some variable 
V for which neither the edge {I, B) nor [l, B) is in Ei. Due to the structure of the grid, player 2 can pick a 
strategy that results in plays that avoids all except for one player- 1 states. From this state v, player 1 has the 
two choices to go to Z or / but from both states player 2 can avoid B. Player 2 has a winning strategy from 
11 and so Ei is not sufficient. An assumption of size k that is sufficient for 11 and (p only includes edges 
from literal states U or U. Given an assumption Ei of size k that is sufficient for 11 and <P. Since Ei include 
only edges from literal states, we can easily map Ei to a satisfying assignment / for /: If (Z^, B) G Ei, then 
I{vi) = true, and if {li, B) £ Ei, then I{vi) = false. 

Theorem 11. Given a deterministic game graph G, a Biichi objective (p, a number fc £ N, and a state s, 
deciding if there is a strongly fair assumption Ei with at most k edges (\Ei\ < k) that is sufficient for s and 
<P is NP-hard. 

Computing locally-minimal strongly fair assumptions. Since finding the minimal set of edges is NP- 
hard, we focus on computing a locally minimal set of edges. Given a deterministic game graph G, 
a state s e S", and a parity objective (p, we call a set Ei C E2 of player-2 edges locally-minimal 
strongly fair assumption if s G ((l))s.ure(AssumeFair(£'(, and for all proper subsets E/ of Ei we have 
s ((l))sure(AssumeFair(£'/, ^)). We now show that a locally-minimal strongly fair assumption set Ei* 
of edges can be computed by polynomial calls to a procedure that checks given a set Ei of edges whether 
s e ((l))sure(AssumeFair(£'(, The procedure is as follows; 



1. Iteration 0. Let the initial set of assumption edges be all player-2 edges, i.e., let ~ E2; 
if s ^ ((l))sure(AssumeFair(£^*', ^)), then there is no subset Ei of edges such that s G 
((l))sure(AssumeFair(i?;, ^)). If s e {{!)) surei^5sumeFa\r{E° , <P)), then we proceed to the next it- 
erative step. 

2. Iteration i. Let the current set of assumption edges be E^ such that we have s G 
((l))stire(AssumeFair(i?*,<?)). If there exists e G -E', such that s G ((l))sure(AssumeFair(£'' \ {e}, 
then let £''+^ = \ {e}, and proceed to iteration i + 1. Else if no such e exists, then E* = iJ* is a 
locally-minimal strongly fair assumption set of edges. 

The claim that the set of edges obtained above is a locally-minimal strongly fair assumption set can be 
proved as follows: for a set Ei of player-2 edges, if s ^ {{!)) sure{^ssumefa\r{Ei ,<!>)) , then for all subsets 
E/ of El we have s ^ ((l))s„re(AssumeFair(£';', <P)). It follows from above that for the set E* of player-2 
edges obtained by the procedure satisfies that s G ((l))siir-e(AssumeFair(£'*, and for all proper subsets 
E' of E* we have s ^ ((l}}s„re(AssumeFair(£", <P)). The desired result follows. 

Theorem 12. The computed set E* of edges is a locally-minimal strongly fair assumption. 

6 Combining Safety and Liveness Assumptions 

Let iy9 be a specification and let = (G, s/, A) be the corresponding synthesis game with winning objective 
(p. We first compute a non-restrictively safety assumption Es as described in Section 4. If Lp is satisfiable, 
it follows from Theorem 6 and 7 that Es exists and that the corresponding environment assumption is 
realizable for the environment. Then, we modify the winning objective of player 1 with the computed safety 
assumption: we extend the set of winning plays of player 1 with all plays, in which player 2 follows one 
of the edges in Eg. Since Es is safe-sufficient, it follows that s/ is live for player 1 in the modified game. 
On the modified game, we compute a locally-minimal strongly fair assumption as described in Section 5 
(Theorem 12). Finally, using Theorem 8 and 9, we conclude the following. 

Theorem 13. Given a specification Lp, if the assumption -0 = "iA-Es ^ ^'£1 ft where Es and Ei are 
computed as shown before, then ip is a sufficient assumption for Lp that is realizable for the environment. If 
ip has a corresponding synthesis game with a safety, reachability, or BUchi objective for player 1, then 
if there exists a sufficient environment assumption -0 7^ 0, then the assumption ip = ipE, H ipEi, where Es 
and El are computed as shown before, is not empty. 

Recall the example from the introduction with the signals req, cancel, and grant and the specifica- 
tion G(req XF grant) A G((cancel V grant) X-igrant). Applying our algorithm we get the 
environment assumption tl' shown in Figure 4 (double lines indicate Biichi states). We could not describe 
the language using an LTL formula, therefore we give its relation to the assumptions proposed in the in- 
troduction. Our assumption i/j includes ipi = G(-icancel) and ip2 = G(F(-icancel)), is a strict subset of 
ipQ = ^ W(^ A (cancel V grant) A X grant) with ^ ~ req — * X F(-icancel V grant), and is incompa- 
rable to all other sufficient assumptions. Even though, the constructed assumption is not the weakest w.r.t. 
language inclusion, it still serves its purpose: Figure 5 shows a system synthesized with a modified version 
of [1 1] using the assumption -ip. 
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